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We present an extension of the second-order logic AF2 with iso-style inductive and coinductive 
definitions specifically designed to extract programs from proofs a la Krivine-Parigot by means of 
primitive (co)recursion principles. Our logic includes primitive constructors of least and greatest 
fixed points of predicate transformers, but contrary to the common approach, we do not restrict 
ourselves to positive operators to ensure monotonicity, instead we use the Mendler-style, motivated 
here by the concept of monotonization of an arbitrary operator on a complete lattice. We prove an 
adequacy theorem with respect to a realizability semantics based on SAT (saturated) sets and SAT- 
valued functions and as a consequence we obtain the strong normalization property for the proof-term 
reduction, an important feature which is absent in previous related work. 

Keywords: Mendler-style, (co)inductive definitions, primitive (co)recursion, strong normalization, 
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1 Introduction 

The system AF2 for second-order intuitionistic logic introduced by Leivant and Krivine (5j HI, is one 
of the most fruitful systems obtained by the Curry-Howard correspondence. It types exactly the same 
terms as the system F of Girard and Reynolds and shares with it the properties of strong normalization 
and subject reduction. Its main improvement with respect to system F is that it allows the extraction of 
programs via the programming-with-proofs paradigm of Krivine and Parigot. This method, originally 
developed in Q (see also [5]) ensures the correctness of programs (A-terms) extracted from proofs 
of termination statements of functions involving formal data types, that is, from proofs of totality. Well 
known results ensure the extraction of programs for all functions whose termination is provable in second 
order Peano arithmetic. Nevertheless this result, satisfactory from the extensional point of view does 
not suffice for an intensional view concerning programs. In AF2 we can get programs for all needed 
functions, but these do not have necessarily the intended behavior, see [13]. To solve this problem 
some extensions of AF2 with least fixed points (TTR [14]) and also with greatest fixed points (AF2^ V 
|[l5l ) have been introduced. These features allow for the (co)inductive definition of predicates and are 
suitable for programming with proofs. However the strong normalization is lost due to the use of a 
fixed-point combinator in the proof-term system, which encodes derivations with lambda terms. The 
situation is that an iterative function / can be defined within AF2 and therefore its extracted program 
/ is automatically terminating, but the extracted program for a primitive recursive function employs 
a fixed-point combinator in the extensions of AF2 and therefore its termination is not obvious at all. 
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This has lead to sophisticated methods to verify that these programs indeed terminate [6], even when 
they fit into a well-known terminating recursion pattern captured in Godel's T for the case of natural 
numbers and generalized to all (co)inductive types in © [71 [H, for example. The main contribution 
of this paper is the introduction of a new extension of AF2 with primitive (co)recursion over least and 
greatest fixed points, called AF2 M ^ V , that enjoys the strong normalization property. Instead of using a 
fixed-point combinator we use the Mendler-style approach of [8] but with two important differences: we 
use a natural deduction approach, and we do not restrict ourselves to positive operators. This shows that 
such syntactical restriction is irrelevant to the strong normalization proof of the whole Mendler-system, 
a feature first discovered by Matthes ([7], p. 83) for the inductive fragment. Another contribution of 
our work is the use of the iso-style, meaning that a (co)inductive predicate and its folding/unfolding are 
not considered equal but isomorphic. It is important to mention that previous extensions of AF2 with 
(co)inductive definitions deal only with equi-style predicates, but in our opinion the use of the iso-style 
is closer to the usual mechanisms of data type definition in functional programming languages. As a 
consequence of our definition of saturated sets, the proof of the adequacy theorem of our logic does not 
employ ordinal recursion. Moreover, the rules of our logic are specifically designed to derive statements 
of totality of functions involving (co)inductive predicates, that is, formulas of the form Mx.&(x) — > 
&(f{x)). The paper is organized as follows: in section|2]we review the required concepts of fixed-point 
theory needed to motivate the definition of our logic, which is given in section [3] together with some 
examples of its expressivity. Section [4] develops the constructions on saturated sets employed in section 
[5] to define an intuitionistic semantics of the logic. Finally, we discuss related work in section [6] and 
provide some closing remarks in section [7J 

2 Fixed-point theory 

In this section we recall some tools of fixed-point theory involving a complete lattice (Jz?, C, \~\), where |~~] 
is the infimum operator. Given a monotone operator $ : Jz? — > J&? the Knaster-Tarski theorem guarantees 
the existence of the least (greatest) fixed-point of <1>, denoted lfp(<I>) or gfp(<l>), respectively. 

Proposition 1 (Conventional (co)induction principles). Let <I> : Jz? — > Jz? be a monotone operator on a 
complete lattice (Jz? , C, \~\). The following holds for every M G Jz?. 

o Induction: if<b(M) C M then lfp(<J>) C M. 

o Extended induction: if<$>( \fp(<$>)\~]M) QM then lfp(<5>) CM. 

o Coinduction: ifM C <&(M) then M C gfp(<3>). 

o Extended coinductionV\ ifM C <E>( gfp(<I>) \_\M) then M Q gfp(<I>). 

Proof. Straightforward. □ 

The following concepts of monotonization of an arbitrary operator are taken from Q- 

Definition 1. Given an arbitrary operator <£> : Jz? — > Jz?, we define its upper monotonization <£>- : Jz? — > 
Jz? and its lower monotonization <1>- : Jz? — > Jz? as <$>-(M) = Ui^PO \ X Q M} and <1>-(M) = 
n{3>(X) |MCX}. 

The properties and relationships between <J> and its monotonizations are given in the following 
Proposition 2. lf& : Jz? — > Jz? is an arbitrary operator then <J>- and 4>- are monotone. Moreover, 



'Recall that in a complete lattice the supremum operator |J can be defined from the infimum operator |~|. 
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o For any Me£>, ^ (M) C 4>(M) C <J>3 (M). 

o If<£>is monotone then <&- = <J> = <J>3 an<i jf <&- = <J> or <J> = <J>- ^/jerc <J> w monotone. 

o *(|fp(*3)) C |fp(<&3) and gfp(<I> g ) C*(gfp(* E )). 

Proof. Straightforward. D 

Next we justify the Mendler-style (co)induction principles by means of the monotonizations. This 
justification is not present in the original work of Mendler ([ 8 ]). However, the inductive part is discussed 

in [7]. 

Proposition 3 (Mendler (Co)induction principles). The following holds for any <J> : .if— >-Jz? and Me J2? . 
o Induction: if\/X(XQM-> 3>(X) C M) then lfp(<J> 3 ) C M. 

o Extended Induction: if VX(X C lfp(<J> 3 ) -^X[M^ <D(X) £ M) then lfp(<&3) C M. 
o Coinduction: if VX(M QX -> M C <D(X)) tfw?n M C gfp(<I> E )- 
o Extended Coinduction: if VX(gfp(4> E ) a^Ma^MC 0>(X)) f/?en M C gfp(<J> E ). 

Proof. The conventional (co)induction principles for <J>- and <J>3 yield the required principles. For 
details see El- □ 



3 The Logic AF2 M/ - n 



We present now the logic AF2 MfXV , which is an extension of AF2 with Mendler-style (co)inductive defi- 
nitions. 

o Terms: the object terms are defined as usual from a signature £ including function symbols / of a 
given arity. 

t::=x\f(t h ...,t n ) 

o Predicates: apart from the usual predicates (second-order variables or predicate symbols of a sig- 
nature £) we have comprehension predicates, inductive predicate ju(<I>) and coinductive predicates 
v(4>). 

@>::=X \P\&\n(&) | v(4>) 

here & is a comprehension predicate of the form & =def hxA, where A is a formula and its arity 
is the length of the vector of variables x, this predicate intends to represent the set {t \ A[x := ?]}. 
On the other hand, <1> is an arbitrary predicate transformer, which is a closed expression of the 
form <I> =def kX. SP, depending on a second-order variable X. Observe that we do not require any 
syntactic restriction, like positivity, on the occurrences of X in &. 

o Formulas: these are defined as usual 

A,B::=&>(h,...,t n ) \A-tB\ \/xA\ VXA 

o On equations: term equations are formulas which play an important role in the logic and are 
defined as usual in second-order logic: the equation r = s stands for the formula VX.X(r) — > X(s). 



Miranda-Perea and Gonzalez-Huesca 33 

The judgments of the logic are of the form r hjg t : A where T = {x\ : A\,...,x n : A n } is a context 
of formulas annotated by proof-term variables, E = {r\ = s\ , . . . , r n = s n } is a context of equations, A 
is a formula and t is a proof-term, which is a lambda term not to be confused with an object term, for 
even when we use the same meta-variables for both, object and proof-terms, we consider them to be two 
completely separated syntactic categories. The derivation relation is inductively defined by means of the 
following inference rules, where A[x := r] (A[X := &]) always denotes capture-avoiding substitution of 
first-order (second-order) variables by a term (predicate) in the formula A. 



o Rules of M 1 !: 




F,x:Ahr:B 


rhr:A^B Ths:A 
' l) Fhrs-.B 


F,x:Ahx:A (Var) FhXxr:A->B 


T\-f.A xiFV{T) 

r h t : VxA l ; 


Fht:\/xA _, . 
^t:A[x:=r]^ 


rht-.A x<£FV(r) 2 

r h t : MX A { ' 


rhf.vxA 2 

rht:A[X:=0>] { ' 


rh E f :A[x:=r] 
n- E f :A[x 


E\>r = s , . 

:=s] {M) 



Here E > r = s means a derivation of r = s from the set of equations E according to the following 
rules: 

- ¥, \> r = s, if r = s is a. particular case of an equation in E. That is an equation of the form 

r\ [x := 7] = r 2 [x := 7] or r 2 [x := 7] = r\ [x := 7], where r\ = r 2 G E and Fare arbitrary terms. 

- r = s was obtained from E by reflexivity, transitivity or compatibility with functions, that is, 
by one of the following rules: 

E\>r = s E\>s = t E>n=si ... E>r n = s„ 



Eor = r Et>r = t E>f(r l ,...,r n )=f(s 1 ,...,s n ) 

o Rules involving (co)inductive definitions: these rules are specifically designed to construct (de- 
struct) elements of an inductive (coinductive) predicate and to prove statements of totality of 
functions. Given two «-ar)[j predicates &,&, and a vector g of n function symbols, the fo- 
llowing notation will be used: £? Cg 2% is the formula \/x.&(x) — > M{g(x)), where, in gen- 
eral, a vector application of / =def f\ , ■ ■ ■ , fn to 7 =def h,---,tn, denoted f(7), is defined as 
f(7) = def f x {t x ),..., f„(t n ) . In particular 2? C ffl is the formula \/x. 2? (x) -)• M(x) or even 3^^-M, 
if the predicates have arity 0. Given a predicate transformer <1> =def XX. 2P and a predicate ^, the 
application of <£> to ^, is defined by <£>(£%) = de f S^\X := 3%\, clearly Q{3£) is a predicate. 
The following rules are motivated by the last part of proposition [2] and by proposition [3] for lat- 
tices of sets. It is important to observe that in each rule we employ ju(<I>) or v(<J>) instead of the 
expected jJ.(<£>-) or v(<J>-). This choice will be justified by the semantics. 



2 We are mostly interested in predicates for data types, which means n = 1. However we present the system for any arity for 
the sake of generality. 
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— Inductive construction and coinductive destruction: for any (co)inductive predicate il(<£>) or 
v(<J>) of arity n, we assume a fixed set of n function symbols c or d, called the constructors 
of ii(<£>) or the destructors of v(4>). 

r^:<D(M<D))(F) rhr:v(<£)(?) £ 



rHnr :j u(3>)(c(?)) rhoutr : 3>(v(3>))(d(?)) 

These rules correspond to the last part of proposition [2j but observe that our (co)inductive 
predicates are in iso-style, due to the presence of the constructors c (destructors d). More- 
over, the equi-style can be easily recovered by using as constructors/destructors the identity 
function symbol id while adding id{x) = x to the equational axioms. 

Primitive recursion: this rule is modelled after the Mendler extended induction principle 
given by proposition [3j Here we regard a composition / o c as a new function symbol de- 
fined by the equation (f o c){x) = f(c(x)) and a composition of tuples /ocas the tuple 
/ioci,...,/„oc„. 



r h s : VX (X C n (<D) -> X C^ JT -> <D(X) C^ JT) r h r : /i(<D) (f 
rhMRecsr: Jf (/(?)) 



(/z£) 



- Primitive corecursion: the Mendler extended coinduction principle of proposition [3] inspires 
the following rule. Observe that in both rules (recursion and corecursion), we can recover the 
corresponding exact principle of proposition [3]by using the equi-style and by regarding / as 
the identity function via the equation f(x) = x. 

rhs:vx(v(<i>) a-^jrc ? i-yjrc,,$(x)) n- r-.x$) 
% (vl) 

r h MCoRecs r : V ($)(/(?)) 

o Operational semantics: To end the definition of our logic, we define the operational semantics of 
the proof-term reduction, which is given by the one-step reduction relation t — ^ t' defined as the 
closure of the following axioms under all term formers. 

(Xxr)s \— >p r[x := s] 
MRecy(inf) h-^ s(Xxx)(MRecs)t 
out(MCoRec5f) i-^ s(Xxx)(MCoRecs)t 

Here and troughout the paper MRecs means Xx. MRecsx and the same is true for MCoRecs. 

o Derived rules: To simplify the presentation of examples we will employ the usual second-order 
encodings for conjunctions, disjunctions and existential formulas, which allow to obtain the follo- 
wing derived rules for judgements and operational semantics: 

Fr~r:A Fr-s:B , , rhrAAB, . Tr~s:AKB , 

Fr- (r,s):AAB (A/) THstTTX (A ^ Fr-sn6s:B (A ^ 

rhr:A Tr~r:B 

rHnlr:AVfi ^ V L ' rHnrr:AVfl ^ R ' 

Fr-r:A\/B T,x:Ahs:C T,y:Br-t:C 

T\- case(r,x.s,y.t) : C 
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Fht:A[x:=r} Fhf.BxA T,u:A\-r:B x^FV{T,B) 

rH pack? :3x.A F\- open (t,u.r) : B 

fst(r,s) i-)-fi r snd(r,.y) i-4-h 5 

case(inlr,jc.5,y.f) 1— ^ s[x:=r] case(inrr,A:.i , ,j.f) 1— >^ f [y := r] 

open(pack?,M.r) H>^ r[«:=f] 

The proof-reduction behaves well with respect to the derivation relation, as ensured by the following 
Proposition 4 (Subject-reduction of AF2 M ^ V ). If T h E t:Aandt ->* t' then Y h E t' : A. 

Proof. The proof is not trivial since AF2 M ^ V is formulated in Curry-style and it is analogous to the one 
developed in (9l for a similar system. □ 

3.1 On (Co)Iteration 

In fixed-point theory, (co)iteration can be easily derived from primitive (co)recursion. This is not the 
case for conventional (co)induction principles in type theory like the ones developed in (see sec- 
tion 4.5 of [7] for a deep discussion on this subject) and therefore (co)iterators must be defined apart 
from (co)recursors. For the Mendler-style, (co)iterators correspond to the (co)induction principles of 
proposition [5] and are again superfluous (as noticed also in flT]). Let us define Mltsr =def MRecs'r 
and MColtsr =def MCoRecs'r, where / =def X-.s an d _ is a dummy variable. The following rules for 
inference and proof -reduction are derivable: 



o Iteration 



o Coiteration 



n-s:VX(XCjjr-Xl>XC, oZ x) r\-r:n(®)(t) 

— ^ (lxE~ 

r\-s:Vx(j(rCj.x-+jtrCj o f®x) rhr:j?r(7) 



rhMColtjr: v(4>)(/(?)) 



(vr 



M\ts(\nt) -+s(M\ts)t out(MColts?) -)■ s(MCo\ts)t 

We will use both the (co)iteration and the primitive (co)recursion rules in the examples that we discuss 
next. 

3.2 Examples 

In this section we develop some examples of (co)inductive predicates that show the expressivity of our 
logic. Due to lack of space a deep discussion about the advantages and disadvantages of both the 
iso-style and the equi-style is missing. Instead, we provide some examples that show some of such 
(dis)advantages. Every program (A -term) / presented here is extracted from a proof of totality for a 
function / involving (co)inductive predicates and specified by a set of equations in the logic. Moreover, 
the reader can verify that in each case / is operationally correct. 

Example 1 (Iso-inductive ad-hoc Natural Numbers). Let () =def Xx.x = * where * is a fixed constant, 
this comprehension predicate is called unit predicate and represents a type with unique inhabitant *. We 
define the predicate of natural numbers as N =def A i ( < ^ > ) where <1> =def XX.Xx.Q(x) VX(x), taking the 
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successor function sue as constructor and suc(*) =0 as equational axiom. Defining =def ' n O n K))J 3 
and sue =def Ax. in(inrx) we can show that h : N(0) and h sue : Vx.N(x) — > N(sucx). We call this 
an ad-hoc definition, for zero is in the image of the successor and therefore our representation is not 
compatible with Peano's axioms. This is an unpleasant feature which can be avoided at some cost (see 
example [5]). However, operationally, our definition is adequate. For instance, the sum and factorial are 
programmed as follows: 

o Sum: fromE, sum = {sum«0 = ?i, sumn(sucm) =suc(sum«ra)}, we get l~E sum sum : Vtz.Vx.N(tz) — >• 
N(x) — > N(surrmx), where sum =def An. M\ts and s =def hyXz-case(z,u.n,v.suc(yv)). This pro- 
gram behaves correctly: sum nO — >■* n and sum n (sucm) — >•* suc(sum«/n). 

o Factorial: using the equations Ef ac = {fac 0=1, fac (sucti) = (sucn) * (facrc)}, we can derive 
l~E fac fac : Vx.N(x) — > N(fac x), where fac =def MRecs and the step term s is defined as s =def 
AyAzA w.case(w, u. 1 , v.suc(yv) * (zv) ). 

The reader should convince herself that the naive definition of natural numbers coming from fixed 
point theory, given by the predicate transformer <1> =def AX.Ax.x = OVl(i), does not work. In the 
equi-inductive approach we cannot construct any number other than zero, and in the iso-inductive case 
we cannot construct the zero. Another possibility is the one taken in |fT6ll , discussed next. 
Example 2 (Equi-inductive Natural Numbers). We define N =def M ( < ^ > ) w ^ tn the predicate transformer 
<I> = AX.Ax.Z(x) VX(p(x)) where Z =def Ax.x = and p is a function symbol, whose intended meaning 
is the predecessor function. We have h : N(0) and h p : Vx.N(/?(x)) — >• N(x) where =def i n (i n K)) 
and p =def Ax. in(inrx). In this case we have the following derivation: fo : \/x.Z(x) — )■ It(x), f p : 
\/x.It(p(x)) — > It(x) h Mlti : Vx.N(x) — > It(x), where s =def kx.Xy.case(y,u.fo(u),v.f p (xv)) and It(x) is 
a predicate representing the fact that the image of a given function f onx was defined by iteration,. If we 
set g =def MltJ then gO — >* fo () and g (pn) — >* f p (gn). This example shows that our logic subsumes 
the Mendler-style programming methodology of MO& . However, this approach does not correspond to 
the idea of programming with proofs that we pursuit. 

Our final version of natural numbers shows the full use of the iso-inductive style and depends on the 
disjoint union of predicates l±) which is a predicate that can be defined under the presence of the Parigot's 
restriction operator \ (see G~4'|). This operator can be added to our logic without a problem and behaves as 
a conj unction where the right formula is an equation without algorithmic contentr] Defining £? I±l 3% =def 
Xx.3z.(0>(z) \x = If z) V {M{z) \x = rgz) we get that Th r : &>(t) implies Th pack(inl r) : (^l±l^)(lff) 
or r h pack(inrr) : (^tfcl tP)(rgt). One important advantage of using this predicate together with our 
iso-style is that we do not need to deal directly with existential formulas in definitions, and therefore 
the following examples are closer to the data type definition mechanisms of functional programming 
languages. 

Example 3 (Iso-inductive Natural Numbers). The natural numbers are given now by the inductive def- 
inition N =def M(^) where <I> = XX.()\±)X, and we use a generic constructor cnat, which yields the 
usual constructors by adopting the equational axioms = cnat(lf *) and sucx = cnat(rgx). These con- 
structors are implemented by =def in(pack(inl())) and sue =def Az.in(pack(inrz)). Let us present the 
extracted programs for sum, factorial and predecessor: 

o Sum: from E sum = {surrm = n, surrm (sucm) = suc(sumn m)}, we derive r-g, sum Xn.M\ts : 
Vn.Vx.N(n) — > N(x) — > N(sum« x) where s =def Xy.kz-open(z,u.case(u,v.n,w.suc(yw))). There- 
fore we get sum =def ^n. M It^. 

Sometimes an equation is involved directly in a judgment and we agree to give it the void proof-term () as code. 
That is, an equation that is not codified by a proof-term. 
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o Factorial: from Ef ac = {fac(O) = 1, fac(suc(ra)) = suc(n) *fac(«)}, we derive l~E fac MRecs : 
Vx.N(x) — > N(facx) where s =def Xy. Xz-X w.open (w, u.case(u, u\.\, U2-Suc(yu2)*(zu2) ))■ There- 
fore fac =(/ £ / MRecs is a correct program for the factorial. 

o Predecessor: an efficient handling-error predecessor specified by E prec j = {error = If *, pred = 
error, pred (sue n) = rgn}, is implemented by pred =def MRecs, where the step function is s =def 
Xy.Xz-Xw.open(w, w.case(«,Mi.pack(inl()),W2- pack(inr(j«2))). for we derive h E prec i MRecs : 

Vx.N(x) -»• (()WN) (pred x). 

In a similar way to the last example, we can define all usual inductive data types like finite lists or 
trees (see ifTTl for several related examples). We present next, coinductive predicates corresponding 
to the conatural numbers and the lazy data type of streams or strictly infinite lists. These examples show 
that we can deal with infinite objects within a terminating system. It is important to observe that in the 
former case the iso-style is more convenient, and for the latter the equi-style suffices. 

The implementation of the predicate for the so-called conatural numbers, corresponding to the ordinal 
CO + 1 , gives us the opportunity to show the use of corecursion to construct inhabitants of data types with 
infinite objects, in this case the ordinal CO. We observe that the implementation of conatural numbers, as 
well as the implementations for natural numbers discussed above, do not correspond to Church numerals, 
as it happens in AF2. In particular the normal proof-term coding the fact that CoNat(ft)) holds does not 
involve an "infinite" Church numeral, which would be a non-terminating term, for CO is specified as a 
conatural number that equals its predecessor and will be constructed by means of corecursion. 

Example 4 (Iso-coinductive conatural numbers). The conatural numbers are defined by CoNat =def 
v(<J>), where <I> =def XX.Xx.()(x) VX(i), and taking the predecessor function pred as destructor with 
implementation pred =def °ut- Let us construct the conatural numbers by means of corecursion. 

Zero: let be a constant, zbe a unary function symbol and E z = {pred(z(x)) = *, = z(*)}- If we 



o 



define =def MCoRec s(), where s =d e f XxXy.Xu.\n\u, then hg. : CoNat(O) and pred — >* inl(). 

o Succesor: let sue be a unary function andK suc = {pred(sucx) =x}. We have h sue : Vx.CoNat(x)— > 
CoNat(suc(x)), where sue =d e f MCoRec s ands=d e f XxXy.Xz- inr(xz). Moreover, the operational 
semantics yields pred (sue n) — >* inr n. 

o Omega: to define the infinite ordinal CO, we use a unary function CO^ and axioms E ffl t = {co = 
co^(-k), pred(w t (x)) = oo t (x)}. Then we get h » t : Vx.()(x) — > CoNat(w t (x)). By defining CO = de f 
ft) 1 " () we get \- co : CoNat(ft)). The needed proof-term is given by co^ =def MCoRec s, where 
s =def XxXyXz- inr(yz). 

Our last example of a coinductive predicate corresponds to streams or strictly infinite lists. 

Example 5 (Equi-coinductive Streams). The streams over a data type A are defined as §U =d e f v(<£>) 
where <!> =def XX.XxA ( head (x) ) AX (ta i I (x) ), and the destructor d is the identity function. The programs 
for the usual destructors are head =def Ax.fst(outx) and tail =def Xx. snd(outx), extracted from h 
head : Vx.Sa(^) — )-A(headx) and h- tail : Vx.S^(x) — T-S^tailx). We present now some programs involving 
streams: 

o The function from, that generates the stream of natural numbers from a given one, is specified 
by Ef rom = {head (from x) = x, tail(fromx) = from (sue x)}. The reader can verify that l~E from 

from : Vx.N(x) — > §N(fromx) where from =def MColts and s =def XyXz-{z,y(sucz)), and that 
head(fromx) — >* xand tail (from x) — >* from(sOcx). 
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o The constructor cons is defined by E cons = {head(consxy) = x, tail(consxy) = y} and requires 
corecursion to be implemented. We get a program cons from the proof ^l~E cons cons : VxVy.A(x) — > 
Sa(j) — > §A(consxy) where cons =def ^ x - MCoRec.? and s =def Xf\Xf2Xw.{x,f\w). 

o The function map on streams is specified by E map = {head(map/^) = /(head£), tail(map/^) 
= map/(tail£)}. An extracted program from l-E map map : (Vx.A(x) — > B(f(x))) — > \/z-$a(z) — > 
§B(map/z) is map =j e y Xf. MColts, w/We 5 =^ e y AyAz.(/ (headx), y(tailx)}. 

o A function similar to map /3w? ?/W requires corecursion in the implementation is maphd, which 
applies a given function only to the head of a stream. It is defined by E map hd = {head(maphd/^) = 
/(head£), tail(maphd/^) =ta\\£}. We get the program l~E ma hd maphd : (Vx.A(x) — >A(/(x))) — > 
Vz.Sa(z) — )■ §A( ma phd/z) where maphd =def hf. MCoRecs and the step function s is defined by 
Ay.Az. Aw. (/ (headx), tailx). 

We finish the section with a couple of examples involving binary predicates. 

Example 6 (Iso-inductive order in natural numbers). The following recursive definition of order for 

natural numbers: 

N(n) n <m 

0<suc« sue ?i < sue m 

is implemented by the iso-inductive definition L = p<(<£>) where the predicate transformer is <1> =def 
XX^ 2 ' .Xx,y. (x = A N(y)) V 3z.X(z,y) \ (x = sucz), and the constructors are the identity and the suc- 
cessor functions c =def Id, sue. The derivations \- A«.in(inl((),«)) : Vn.N(n) — > L(0,sucn) and h 
Xw. in(inr(packw)) : VnVm.L(n,m) — > L(suc «,suc m) can be easily verified. 

Example 7 (Equi-coinductive observational equality for streams). Leibniz equality is not always ad- 
equate for reasoning about streams (see / ti5l/ ). in some cases it is better to employ the observational 
equality. This equality relation is defined by the equi-coinductive binary predicate <§ =def v ( < ^ > ) where 
*& = def XX^ > .Xx,y. headx = heady AX(tailx,taily). It is immediate to verify that \- Ax.fst(outx) : 
VxVy.(p'(x,y) —> headx = heady and h Ax.snd(outx) : \/x.\/y.S'(x,y) — > <§ (tail x, tail y). Moreover, the 
corecursion rule yields h e : VxVy. headx = heady — > <#(tail x, tail y) — >• S"(x,y), where the proof term 
e is given by e =def XxXy. MCoRec s (x,y) and s =def Aw.Aw.Av.(fstv,w(snd v)). These proofs imply 
that two streams are observationally equal if and only if their heads are equal and their tails are again 
observationally equal. 

4 Saturated Sets 

We develop here all constructions on a complete lattice of so-called saturated sets needed to define the 
semantics of the logic. It is important to emphasize that in this section a term is exclusively a A -term 
belonging to the set A = {t \ t is a proof-term of AF2 Mflv }. 

Definition 2. A term t is called an I -term if it was generated by an introduction rule, i.e., I-terms are 
terms of the following shapes: Xxr, inr, MCoRec sr. Analogously E -terms are terms generated by an 
elimination rule, i.e. they are terms of the following shapes: rs, outr, MRecsr. 

Observe that any term is either a variable, an /-term or an .E-term. 

Instead of reasoning with infinite reduction sequences we will work with an inductive definition of a 
set SN including all strongly normalizing terms. We discuss its definition now. 
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Definition 3. Evaluation contexts are defined by the following grammar: 

£■[•] ::= •\E[»]s\outE[»]\URecsE[»] 

Let us observe that an evaluation context may be considered as an £"-term with a unique placeholder •. 
Therefore, evaluation contexts are sometimes called elimination contexts or multiple eliminations. In the 
following, we will write E [r] for the Zs-term obtained by substituting the placeholder • by the term r 
in E [ • ] . That is E [r] =def E [ • ] [• := r] where the substitution is defined as if • were a term variable. 
A term of the form E [x] is called a neutral term. The notion of weak head reduction, denoted -^- w hd, 
needed to define the set SN is defined as follows: 

t-tpt 1 



E[t] -> whd E[t'] 

The final concept involved in the inductive definition of the set SN is the set \st(t) of immediate sub- 
terms of a given term t, defined as follows: ist(x) = 0, ist(Axr) = ist(inr) = ist(outr) = {r}, ist^rs) = 
ist(MRec sr) = ist(MCoRec sr) = {s, r}. We will also need the set ist(2s [•]) of immediate subterms of 
a given evaluation context which is defined as if E [•] were a term. 

Definition 4. The set SN is defined by means of the following inductive definition: 

t is an I-term \st(t) C SN . 

—— SN-VAR — — (SN-I) 

ISSN t G SN 

£[jcleSN ist(£[»l)CSN , x £[r'leSN E\t]^ wM E\t'] prt(f) C SN , 

— — r r in (SN-E) — l - J U — r - 1 LJ — (SN-W) 

E'[E[x]]eSN v ' E\t]eSH v ' 

where for a redex t, prt(7) is the set of problematic subterms oft, which are the terms that might break 
the strong normalization oft, even knowing that its reduct t 1 strongly normalizes. This set is defined as 
follows: prt((Xx.r)s) = {s}, prr^MRecs (inr)) = prt(out(MCoRec5' r)) = 0. 

It can be proved that the characterization SN of the set of strongly normalizing terms is sound, that 

is: if t G SN then there is no infinite reduction sequence t — > t\ — > ?2 — > 

Now we can define a concept of saturated set, modelled after the definition of SN. 

Definition 5 (SAT-set). A set of terms ^# is saturated if and only if it consists only of terms in SN, it 
contains all neutral terms ofSN, and it is closed under weak head expansion o/SN terms. This can 
elegantly be defined by the following rules: 

t^Jt, . E[x] € SN . 

'SAT-SN) — H t, (SAT-N) 



t gSN v ' E[x] e 

E[t'\ <^Jt E[t] -> whd E[t'] prt(f) C SN 



(SAT-W) 



E[t] G Jt 

It is easy to see that SAT =def {-^ I ^ is saturated} is closed under intersection. Therefore the 
triple (SAT, C, P|) forms a complete lattice. The next concept will be fundamental for reasoning with 
saturated sets. 

Definition 6. Given a set of terms M, the set cl(Af) := {~\{,yV G SAT | MC\ SN C ,yV] is called the 
saturated closure or SKY -closure ofM. 

cl(M) is the least saturated superset of Mn SN. Observe that M C cl(M) if and only if M C SN. 
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4.1 Saturated sets for the implication 

The following construction is standard, we recall it here for the sake of self-containtment. 

Definition 7. We define Jt => Jf = c\({r G A | \/s G Ji ' . rs G JY\), so that =4>: SAT x SAT — > SAT is a 
binary operation on saturated sets. 

Proposition 5 (Soundness). Let ^#, jV G SAT. 

1. lfS x {Jt \JV) = {t | VsG Jt. t[x:=s] G JV} andt G S x {Jt \jV) then Xxt G J£ => JV . 

2. Ifr G ^# =>■ jV and sGj' ?/ie« rs G ^K. 

Proof. Straightforward. See for example [9]. D 

4.2 SAT valued functions for coinductive predicates 

The goal of this section is to develop the main technical contribution of our paper, to construct fixed 
points of SAT- valued functions, which will be needed later for the semantics of coinductive predicates. 
For the case of inductive predicates we point to our extended version [11]. The methodology is based 
on the one developed in section 9.4 of [7 ] for inductive types. These constructions and their soundness 
properties will play an essential role in the proof of the adequacy theorem for AF2 M ^ V . 

Let us start by fixing a non-empty set M and by defining for all n G N, the set of SAT- valued n-ary 
functions SAT„ =def {F \ F : M" — > SAT}, with SATo = SAT. The set SAT,, forms a complete lattice 
(SAT„, C,P|) with the pointwise inherited definitions F C G $$def Vx G M n .F(x) C G{x) and defining 
for any & C SAT„, the function [\& \M n ^ SAT as (f|^")(Jc) =def C\Fe^ F (x). Through this section 
we fix a higher-order function <J> : SAT„ — > SAT„, and tuples of functions d = di, . . . , d„, f = fi, . . . ,f„ 
withd,-,f ( :M^M. 

Let us begin with the constructions for coinductive predicates. The idea is that given a coinductive 
predicate v(*I / ), where the interpretation of the predicate transformer *F is the function <J> : SAT„ — > SAT„, 
its interpretation will be defined as the greatest fixed-point v(0-) of the lower monotonization of some 
operator : SAT„ — > SAT„ associated to the arbitrary function <1>. 

Definition 8. We define S v : SAT„ -^ M n -> &>(A) by £ v {F)(t) = de f {r G SN | outr G 4>(F)(3(?))} 
where F : M n -> SAT and 7 G M n . 

Lemma 1. Let &e '■ SAT,, — >• SAT,, be defined as &e{F)(7) =def cK^v(F)(t)). Then, for any F G 
SAT„, g v (F) = ® E (F) 

Proof. It suffices to show that for any t G M" , S v (F ) (t ) G S AT. See ED . □ 

The post-fixed points of &e are. characterized as follows: 
Lemma 2. FC0 £ (F)«VfeM"VrGF(f). outr G <D(F)(d(?)). 

Proof. Straightforward. □ 

We would like to obtain a greatest fixed-point of &e, but as we do not assume that <J> is monotone, 
we cannot prove either that &e is monotone. Therefore we cannot apply the Knaster-Tarski fixed-point 
theorem to &e to obtain a greatest fixed-point of &e, which is what we need to interpret coinductive 
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predicates. However, we can proceed by using an adequate version of its lower monotonization (see 
definition [l), g£ : SAT„ -> M" -> &>(A) denned by 

^(F)(t)= fl {<? V (F'W)\FCF>} 

F'eSAT,, 

It is easy to see that <f v - is monotone. Therefore the operator 0^ : SAT,, — > SAT„ given by 0^ (F) (7) =<&./ 
cl((f v -(F)(F)) is also monotone and the function v(<J>) € SAT,, defined by v(<&) =def S^?(®e) ex i sts due 
to the completeness of the lattice (SAT„, C, f]). 

Proposition 6. v(<J>) w a post-fixed point of&E- 

Proof. By definition, v(<J>) is a post-fixed point of 0§, that is v(<J>) C 0|(v(<I>)). Moreover, it is 
straightforward to show that ®f (v(<&)) C £ (v (<£)), which yields v(<3>) C ® E (v (<£>)). D 

Next, we define an operator 0/ useful to prove the soundness of the inference rule for Mendler 
corecursion. 

Definition 9. Given <$> : SAT,, -)■ SAT,, and F G SAT,, we de/m<? J v : SAT,, -> M" -> ^>(A) as follows: 
ifseM" and s ^1(7) then ^ v {F)(s) =d e f 0, and 



J r v (F)(f(7))= def lMCoRecsr H G SAT,,, r£H{T), 

* 6 HgeSAT,, (V =< G) =► (# ^ G) =► H ^ o? <D(G)) } 

where for any F,G £ SAT,, and g a tuple of functions g, : M — >■ M we define the SKY -set F <^G as 
follows: F <jtG =d e f C\teM"F(t) =4> G(g(7)), in particular, F <G =d e f ClieM-Ftf) =^ G(F). 
Finally we define the function 0/ : SAT„ — >• SAT„ as 0/(F)(F) =def c K^v(F)(t)). 

Lemma 3. For any F G SAT„, J ! y (F) C 0/(F). 

Froo/ It suffices to show that for any ? G Af , J^ v (F ) (?) C S N . See O • □ 

The pre-fixed points of 0/ are characterized as follows: 
Lemma 4. Let F G SAT,,. 

0/ (F) C F «■ V? G M" .V// G SAT,, . Vr G H(t) . 

V* 6 n GeS AT„ ((F <G)^{H< 1 G)^H ^ o? <D(G)) . MCoRecsr G F(f(?)) 

Proof. Straightforward. □ 

To show the soundness of Mendler corecursion we will use the following 
Proposition 7. v(<&) is a pre-fixed point of&j. 

Proof. We will proceed by extended conventional coinduction, as defined in proposition [T]. 
\jeXZ=def v (3>) and 5' =</<?/ 3 U 0/(3)- We have to prove that 0/(5) C©|(3') and for this, it suffices 
to show that «/ v (3) (?) C g£ (3')(s) for all s€M n . 

If ?/?(?) then J"v(3)(?) = C (f v g (0[')(?). For the case s= 1(f) let us take MCoRecs r G J^ v (3)(f(7)) 
with r G //(F), H G SAT,, and 5 G flceSAT,, {0 ^ G) => (H ^ G) => H <^ 4>(G)). According to the 
definition of <^F(C)(f(?)) we have to prove that MCoRecs r G <? v (3" )(?(?)) for any 5" G SAT„ such 
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that 3' C Z". Let us observe that MCoRecs r G SN, for J r v (^)(J(7)) C SN. Therefore, we only need 
to verify that out(MCoRecsr) G <J>(3')(d(f(F))). Since 3>(3')(d(?(F))) G SAT, it suffices to show that 
s(Axx)(MCoRecs)r G 3>(3') (d(f (F))). 

We know that 5 G (3 ^ 3') =>■ (// ^f 3') =>■ (H ^ Q f *(3')) and also tnat ^ xx G 5 ^ 3', for 3 C 3'. Hence, 
by part 2 of proposition E\, s(Xxx) G // <f$ => // ^g o | ®(Z')- 

Next, we show that MCoRecs G H ^ $'. By part 1 of proposition p4 we only need to show that for all F G 
M", MCoRecsx G S x (//(F),3'(f(F))), which happens if and only if for all e G #(7), (MCoRecsx)[x := 
e] G 3'(f(F)). Therefore we assume e G H(7) and need to prove that M Co Reese G 3'(f(F)), but we have 
MCoRecse G A(3)(f(F)) and therefore, by lemma^], MCoRecse G ®/(3)(f(F)), but as 0/(3) (f(]Q) C 
3'(f(F)) we have proven that MCoRecs G // ^f 3'- Using again the second part of proposition pL we 
conclude that s(Xxx)(MCoRecs) G H Xg o | 3>(3')- Finally r G //(F) implies that s(Xxx){MCoRecs)r G 
<&(3')(d(?(F))). " D 

To finish this section we summarize the soundness properties of the (co)inductive constructions on 
SAT-valued functions. 

Proposition 8 (Soundness of the (co)inductive constructions). Let<£> : SAT,, — > SAT,,, c,d,f be tuples of 
functions q, d,-, f,- :M^-M, 1 < i < n, and 7 G M". Then 

1. Ifr G 3>(jU(4>))(F) then inr G ;U(<I>)(c(F)). 

2. Ifr G n(®)(t),H e SAT„ and s G flceSAT,, ((G < m(*)) => (G ^ ? #) => <D(G) ^ ?o£ //) fen 
MRecjrGff (?(?)). 

J. //Y G v(4>)(F) few outr G <E>(v(<E>))(d(F)). 

4. //r G //(F),// G SAT„, and s G RceSAT,, ((v(<*>) 1 G) => (H If G) => H ^ o? <D(G)) fen 
MCoRecsrG v(4>)(f(F)). 

Proof. Part 3 is consequence of proposition [6] and lemma [2], For part 4 we just use proposition [7] and 
lemma[4]. For the inductive cases we refer to ifTTl . □ 

We are now ready to define an intuitionistic semantics for our logic. 

5 Semantics for AF2 M/IV 

We present here a realizability semantics for AF2 M ^ V where an object-term will be interpreted as an 
element of a universe set M, a formula as a SAT-set and a predicate as a SAT- valued function in SAT„. 

Definition 10. A model for a second-order language £ is a pair 9K = (M, J?) where M is a non-empty 
set and J? is an interpretation function for £ such that J?{f) '■ M" —> M,for every n-ary function symbol 
f G £ and ^(P) '■ M" — > SAT, for every n-ary predicate symbol P G £. 

From now on we fix a model 9JT = (M, J?) . 

Definition 11. A state or variable assignment is a function o : Var — > ML) SAT„ such that o(x) G M and 
a(XW) £ SAT,,. Given mGMorGG SAT,,, the modified assignments o[x/m\ and o[X/G] are defined 
as usual. 

Next, we recursively define the interpretation of terms, predicates and formulas. 
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Definition 12. Given a variable assignment o, we define the interpretation function ^ a , such that 
J a (r) G M, J? a {^) G SAT„ and J a (A) G SAT, as follows: 
o Term interpretation 

- J a [x) = a{x) 

- S a (f(t 1 ,...,t n ))=S(f)(S< T (ti),...,S a (tn)) 
o Predicate interpretation: 

- Predicate variables: */ a (X) = <j(X) 

- Predicate symbols: J^ a (P) = J?(P) 

- Comprehension predicates: if ' & =def AxA, we define J zr t7 (^ r ) = G& where G& : M n — > SAT 
is given by G^ (in ) = J^p/^j (A), for all fh G M n . 

- Predicate transformers: if<£> =def kX.^P, where w.l.o.g., £P =def kx.A, we define J? a (&) : 
SAT„ -> SAT„ by J a (<&) (F) (m ) = j^ [;f/F) ?/M] (A), for all m G M". 

Thisway, it can be proved that for any predicate M, we have J^o(^>(^)) = ^ a {&){^a{&))- 

- (Co)inductive predicates: 

* J^0i(*))=M(^a(*)) 

* jr ff ( v (4>)) = v(J^(4>)) 

where of course, the operators /I and V on the right-hand side of the equalities refer to the 
constructions on SAT -valued functions developed in section^. 

o Formula interpretation: 

- S (<P{t h ...,tn))=J r a(& > ){j f o(ti),...,J?a(tn)) 

- J a (A ->B) = ^a{A) => JaiB) 

- J a ^xA) = r\{^a[ x /m] (A) | m G M } 

- ^ ff (VXA) = n{^r[z/ G ](A) | G G SAT„ } 

We observe that as equations are a special case of a second-order universal formula, there is no need 
to give a specific semantics for them. However we are only interested in models that satisfy a set of 
equations in the following sense. 

Definition 13. Let 9JT = (M, J?) be a model and o be a state. We say that the interpretation J? a satisfies 
the equation r = s if and only if J^a{r) = J? a {s). Moreover ifK is a set of equations, we say that ,^ a 
satisfies E if and only if \# a satisfies every equation in E. 

Now we can prove the main theorem of this paper. 
Theorem 1 (Adequacy or soundness). Let Wl = (M, J') be a model such that the interpretation ,J? a 
satisfies the set of equations E. If T \-g, t : A, with T = {x\ : Ai,...,x n : A n } and for all 1 < i < n, r, G 
J a (Ai) then t[x := r] G J a {A). 

Proof. Induction on F I~e t : A. We discuss the case for the rule (vl), for the remaining rules see ifTTl . 
We need to show that (MCoRecs r)[x:=f\ G J^V (<£)(/(?))). That is, (MCoRec s[x := r]r[x := r}) G 

v(S a (*))(j),wbenj = So(fi(ti)),...,So(fn(t»)). The I.H. yields s[x:=?} G J„ (W(v(0>) CX4 
XC^X^X C^ <D(X)) V From this and by defining <£' = J^(*), ? = A(/i), • • •, ^a(/n), d = 
J^(rfi), . . . , «/ a (rf„) and // = J a {X) it is easy to verify that s[x := r] G flceSAT,, (( V ( <J>/ ) ^G)=>(H ^| 
G) =4> (// ^ 3o | <&'(G)) J . Moreover we also have r[x := r] G H(l), where f = ^(/i), . . . , <# a (t„), by I.H. 

Therefore we can apply part 4 of propositionpMto conclude that MCoRec s[x:=r]r[x:=r] G v (<£>')) (f(Z)), 
which is equivalent to (MCoRecsr)[x := r] G J^V (<&)(/(?))). D 
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5.1 Strong normalization 

The strong normalization property for the logic AF2 M/JV can be proved by adapting the proof of AF2 
which embeds this logic into its propositional fragment, system F (see [4]). However, our semantics 
of saturated sets allows for an easy proof of strong normalization which is a direct consequence of the 
adequacy theorem. Let us start by building a model and an interpretation that satisfies a given set of 
equations E as required by the adequacy theorem. 

Definition 14. Given a judgement A =def T\-^t :Awe define a model 9JIa = (M, J 1 ) as follows: 

o Let «e be the binary relation on terms given by r = s &def E > r = s. It is easy to prove that «e 
is an equivalence relation. 

o The universe of$Jl\ is the set M = Term^/ ~e, of the equivalence classes [t] of the relation ~e- 
o The interpretation function J? is defined as follows: 

_ fS :M n _^ Mi />([/!],...,[/„]) = def lf(t h ...,t n )} 

_ P S : M n -> SAT, P-'fl/i], . • • , [/»]) =def cl({j G A | T h E * : P(/i, . . .,/„)}) 
It is easy to see that the interpretation function is well-defined and therefore 9JTa is a model. 
The next lemma shows that in TXa term interpretation is given by a specific substitution. 
Lemma 5. Let a be a state and r G Term_^ such that Var(r) = x. Ifo{xi) = [s,] then ^ a (r) = [r[x:= ?]] . 

Proof. Induction on r. □ 

We can now define an interpretation that satisfies a given set of equations E. 

Lemma 6. For any judgement A =def r He t : A there is a state o of9Jl& such that the interpretation J? a 

satisfies E. 

Proof. We define the state a of WI&, as follows: 
o For any first-order variable x, a(x) = [x\. 
o For any second-order variable X, a(X) = G, where 

G([ti],. . . , [t„]) = def cl({j G A I r h E s : X(ti,. . .,?„)}). 

It is easy to verify that the state is well-defined. Moreover J? a satisfies E, for if r = s G E then r r% s 
and therefore [r] = [s\. But, if Var(r) = x and Var(s) = y, then by definition of a and by lemma B] we 
have y a (r) = [r[x := x}] = [r] = [s] = [s[y := y}] = J? G (s). U 

The strong normalization of AF2 M/JV is now easily gained from lemma [6J and the adequacy theorem. 
Theorem 2 (Strong normalization of AF2 M/IV ). IfT Fe t : A then t is strongly normalizing 

Proof. Assume A is the judgement T Fe t : A, with T = {x\ : Ai,...,Xk : A^}. By lemma|6]the set of 
equations E is satisfied by an interpretation ^ a in the model Wl&. Moreover, we have x,- G ^(A,), 
for ^(A,) is a SAT-set and every SAT-set contains all variables. Therefore the adequacy theorem 
yields t = t[x := x] G y a {A). Finally, as J? a (A) C SN, we get t G SN which implies that f strongly 
normalizes. □ 
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6 Related Work 

Nowadays, there are several lines of research concerning fixed-point logics in computer science. In re- 
lation to our work we can mention for instance [12] which presents a sequent calculus for positive equi- 
(co)inductive equational definitions and which handles conventional (co)iteration only. In this paper the 
equality relation is primitive and corresponds to unification with respect to /3tj -reduction. Moreover, 
the cut-elimination property holds only after restricting the coinductive rules. Recently [2] develops an 
extension of the linear logic MALL and a focused proof system for it where the mechanism of con- 
ventional equi-(co)inductive definitions is similar to ours. In this weak normalizable logic, which only 
handles (co)iteration, all predicate operators are assumed to be monotone, proofs of functoriality are 
given for positive definitions and the treatment of equality originates from logic programming. Finally 
we mention the work of [lj which is closer to ours and presents two strongly normalizing propositional 
logics (type systems) with Mendler-style positive equi-(co)inductive types whose semantics of so-called 
guarded saturated sets makes heavy use of transfinite ordinal recursion, which obliges to restrict the 
(co)iteration rules by means of a kind system that distinguishes between guarded and unguarded types. 
On the other hand this feature allows for a definition of a system of sized types that encompasses primi- 
tive (co)recursion and course of value recursion. 



7 Closing remarks 

We have presented the logic AF2 M ^ V , an extension of the second order logic AF2 with Mendler-style 
primitive (co)recursion over least and greatest fixed points of predicate transformers. To our knowledge, 
this is the first such extension that includes Mendler-style (co)inductive predicates while keeping the 
strong normalization property. Thus, the programs extracted from the termination statements of func- 
tions are guaranteed to terminate, independently of the syntactical shape of the proof and therefore the 
particular methodologies to show termination, like the one in [6] are not needed. Based on the concept of 
monotonization of an operator we have developed a realizability semantics of SAT-sets and SAT- valued 
functions for (co)inductive predicates that does not employ the usual positivity restriction. This was first 
achieved in [7 ] for essentially the propositional inductive fragment of our logic. Furthermore, our ade- 
quacy theorem does not require any ordinal recursion in contrast to the work in lTl4llT5Tl . The iso-style of 
our (co)inductive definitions allows to define data types in a similar way to the definition mechanisms of 
functional programming by using a generic constructor (destructor), a feature that can be easily enhaced 
to use several specific constructors by means of clausular definitions (see iTTOll ). a mechanism which also 
allows not to use neither existential nor restricted formulas. By means of examples, we have shown the 
suitability of the logic to extract programs from proofs. However, the concept of formal data type and 
other semantical foundations of the program extraction method, like the issue of equality for coinductive 
data types, as well as the development of more sophisticated case studies, are work in progress. 
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